6 Predictions for the Impact of CISA’s CPGs on the Food & Beverage Sector

While collecting ideas and topics for the Nexus'23 Leadership Summit, I've had the opportunity to discuss the Cybersecurity and Infrastructure Agency’s (CISA) Cyber Performance Goals (CPGs) with numerous cybersecurity leaders. My colleague Josh Corman has also conducted similar conversations surrounding forward-looking predictions on how these CPGs will impact organizations in various different sectors. We recently had the opportunity to exchange insights on how the CPGs might affect the food and beverage sector specifically, and the ways these policies offer a framework for organizations to protect themselves against cyber attacks.

As companies in the food & beverage sector embrace cyber-physical systems and digital transformation, they must evolve their cybersecurity strategies to mitigate the risk posed by an expanded attack surface. CISA's Cybersecurity Performance Goals (CPGs) — a foundational set of best practices applicable across all critical sectors — provide an actionable set of quick wins food & beverage companies can implement to overcome this challenge and to ensure cyber and operational resilience. Although these goals are voluntary, they offer a common set of cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.

here are our top predictions: 

Justin's Prediction 1: CPGs will become the baseline standard. Despite NIST and IEC 62443 maintaining significance, their intricacy poses difficulties for numerous "target-rich but cyber-poor" entities in the food and beverage sector. Although not without challenges, the CPGs are straightforward, understandable, and most importantly quantifiable.

Justin's Prediction 2: Smaller food and beverage companies may not have the means or expertise to follow the CPGs independently. Stimulus funding through the government will become available to assist these organizations in adopting the guidelines.

Justin's Prediction 3: User ID, ID admin, & access management will require a single source of truth to address CPG goals. Many food and beverage companies may start using a central authentication system to manage user accounts and access rights as recommended by the CPGs.

Josh's Prediction 1: The CPGs are currently voluntary; however, based on the White House National Cybersecurity Strategy direction to sector regulators, we predict that those agencies will craft mandatory minimum regulations — within their existing authorities — with the CPGs as their foundation.

Josh's Prediction 2: Private sector insurers may start using the CPGs to qualify companies for cyber insurance as many companies may begin to look at cyber insurance to mitigate the risk of cyber attacks.

Josh's Prediction 3: In case of a cyber attack, courts may use the CPGs as a threshold for negligence. Companies that don't follow the guidelines may be held responsible for any damages caused by the attack.

CISA’s CPGs are undoubtedly a valuable resource for food and beverage companies that want to protect themselves from cyber-attacks. Although following the guidelines isn't compulsory, we believe that regulatory compliance and government involvement will come sooner than you think, solidifying these standards as the industry norm. The CPGs provide a baseline for food and beverage companies to adopt fundamental security protections and create a path towards a strong security posture. Although these goals may seem daunting at first glance, Claroty experts are here to provide guidance and recommendations throughout your unique cybersecurity journey.